ELB Security Groups and Monitoring

Learn about the different security groups and how monitoring works for ELBs.

ELB security groups#

Security groups control the ports and protocols that can reach the front-end listener.

In non-default VPCs, you can choose which security group to assign. You must assign a security group for the ports and protocols on the front-end listener. You need to also allow the ports and protocols for the health check ports and backend listeners.

Security group configuration for ELB#

Inbound to ELB (allow)

  • Internet-facing ELB:
    • Source: 0.0.0.0/0
    • Protocol: TCP
    • Port: ELB listener ports
Inbound rules configuration for Internet-facing ELB
Inbound rules configuration for Internet-facing ELB

Internal-only ELB:

  • Source: VPC CIDR
  • Protocol: TCP
  • Port: ELB Listener ports
Inbound rules configuration for internal-only ELB
Inbound rules configuration for internal-only ELB

Outbound (allow, either type of ELB):

  • Destination: EC2 registered instances security group
  • Protocol: TCP
  • Port: Health Check/Listener
Outbound rules for either type of ELB
Outbound rules for either type of ELB

Security group configuration for registered instances:

Inbound to registered instances (allow, either type of ELB)

  • Source: ELB Security Group
  • Protocol: TCP
  • Port: Health Check/Listener
Inbound rules for registered instances
Inbound rules for registered instances

Outbound (allow, for both types of ELB):

  • Destination: ELB Security Group
  • Protocol: TCP
  • Port: Ephemeral
Outbound rules for registered instances
Outbound rules for registered instances

It is also important to ensure that NACL settings are set correctly.

Distributed Denial of Service (DDoS) protection

  • ELB automatically distributes incoming application traffic across multiple targets such as Amazon Elastic Compute Cloud (Amazon EC2) instances, containers, and IP addresses, and multiple Availability Zones, which minimizes the risk of overloading a single resource.
  • ELB, like CloudFront, only supports valid TCP requests, so DDoS attacks such as UDP and SYN floods are not able to reach EC2 instances.
  • ELB also offers a single point of management and can serve as a line of defense between the internet and your backend, private EC2 instances.

ELB monitoring#

Monitoring takes place using the following:

  • CloudWatch — every 1 minute
    • ELB service only sends information when requests are active.
    • It can be used to trigger SNS notifications.
  • Access Logs
    • Disabled by default
    • Includes information about the clients (not included in CloudWatch metrics)
    • Can identify requester, IP, request type, etc.
    • Can be optionally stored and retained in S3
  • CloudTrail
    • Can be used to capture API calls to the ELB
    • Can be stored in an S3 bucket

Limits#

The following table details the default limits for your account on a per-region basis:

Name Default Limit
Application Load Balancers 20
Network Load Balancers 20
Target Groups 3000
Classic Load Balancers 20

Elastic Load Balancing

Classic Load Balancer (CLB)